Network Security Consulting Blog

Liability Issues when Banking Transaction Fraud Occurs
Just yesterday I had a very interesting telephone conversation with someone concerning liability issues when banking transaction-related fraud occurs. If a bank customer’s savings account is drained by a fraudster, who is liable, the customer or the bank?
This issue is by no means new. You might recall the incident that occurred in 2005 in which an owner of a small business, Joe Lopez, found that funds had been transferred from his company’s Bank of America account without his authorization. He reported what had occurred to the bank, which launched an investigation that showed that a keystroke logging program had been installed on Lopez’s PC. The perpetrators gained remote access to this PC, copied the stolen information, and used it to make money transfers to a bank in Latvia that ultimately ended up in their hands. Informing Lopez that the fraud was due to Lopez’s failure to secure his computing system rather than the bank’s failure to provide suitable security, the bank initially refused to replenish the stolen funds. Lopez disagreed. The press picked up the story, making it look as if Lopez had been victimized by a gigantic, customer-indifferent bank. Fearing public relations damage, the Bank of America reversed its position and compensated Lopez for the money he had lost. Read more…

Share this security consulting article:

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPLiability Issues when Banking Transaction Fraud Occurs Network Security

Nearly two weeks ago Admiral Mike McConnell, the former U.S. Director of National Intelligence (DNI), testified about the preparedness of the U.S. in the event of a cyberware at a meeting of the U.S. Senate Commerce, Transportation and Technology Committee. He said that if the U.S. were to be attacked in a cyber war, the U.S. would lose. Admiral McConnell’s testimony created shock waves among members of this committee, who reportedly did not have a clue that the U.S. was so dismally prepared for cyberwarfare. Jim Lewis, who heads the government’s Commission on Cybersecurity, followed Admiral McConnell by saying that most of the U.S.’s critical computing infrastructure is within the commercial sector, but this sector is not doing enough to safeguard computing assets. According to Lewis, no improvements in cybersecurity practices within private industry are likely to occur unless regulations require these improvements. Read more…

Share this security consulting article:

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPCould the U.S. Lose a Cyberwar? Network Security

Earlier this week I once again went to the RSA Conference in San Francisco. I could have gone to some of the presentations and panels, but once again I chose to not do so. Why? I have found that many times one can learn more from meeting and talking to people at this conference rather than attending sessions, and once again I found this to be mostly true.

I went to the RSA Conference last year and noted in a blog entry shortly afterwards that attendance had dropped considerably from 2008. An unfortunate outcome was my having to deal with the conference’s PR firm, which objected to my mentioning the then downward turn in attendance. Good news—this firm should have no objection whatsoever to my saying without any reservation that the attendance for RSA 2010 was dramatically higher than last year. My main metric, good or bad as it might be, is how easy it is to get from point A to point B within the Moscone Convention Center. This year I had to constantly dodge people in the main upstairs areas and down below in the exposition hall. Seating areas were crowded. There is no doubt that attendance was at least back to its 2008 levels, or very possibly even higher. Read more…

Share this security consulting article:

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPRSA 2010 Network Security

In a SANS NewsBites editorial a little over a week ago I lamented the fact that to date software companies have for the most part not been held responsible in legal cases for damages resulting from bugs in their code. I described this situation as “the single greatest enabler of bug-infested coding on the part of vendors.” A mentor and also friend of mine, the legendary Bill Murray, sent me a message with a plethora of excellent comments concerning the issue of liability related to software bugs. His commentary on this issue is so outstanding that I decided to (with his advance consent) publish it as a blog posting. Read more…

Share this security consulting article:

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPGuest Editorial on Code Liability Network Security

My friend and colleague Donn Parker, security consultant and researcher par excellence, gives an RSA session entitled “Alternatives to Security Risk Management” (RSA P2P 204A Weds at 1pm Burgundy 222) in which he attempts once more to debunk the myth that “risk can be managed” in information security.  Donn has been on the forefront of thinking about information security since the 1970s and he is used to being ignored by all types of people who either don’t get it or haven’t figured out a way to exploit an idea for profit yet.  Sometimes his rants can seem quixotic but almost always look prescient after-the-fact.  Here is an example.  Donn is not saying that “risk doesn’t matter” (although read below for more on this notion), but he is saying that the idea that an organization can use quantitative techniques analyzing detailed risk profiles around data and controls to make decisions about information security is pure bunkum.  I agree…mostly. Read more…

Share this security consulting article:

Emagined Security Consultant: James M. Anderson, CISSP, CISM, CGEITThe Death of Risk Network Security

This is the last of a seven-part series on smartphone forensics. The topic is what do with the information that has been copied from smartphones and other mobile devices such as iPods. We’ll assume that the forensics data have been copied to a special handheld device for mobile device forensics (such as one that Guidance Software makes), a PC (ideally one on which a forensics tool is running), or a secure USB drive. (The best forensics procedure is actually to make two copies, one a best evidence copy to be stored in a forensics vault, and the other a working copy for forensics analysis.) One of the risks in making forensics dumps is the possibility that information obtained in this manner might be altered on the computer or device to which it has been copied. The copied data must thus be accessible in read-only mode so that nothing can be changed. Additionally, a hash value (preferably using one of the SHA family of hash algorithms) of the data should be computed and, if possible, compared to the hash value of the data on the original device. Forensics tools make performing all these procedures much easier and more error proof, but experienced forensics investigators can do just about anything without such tools if necessary. For example, it is possible to set a Registry value in Windows XP to prevent the ability to write. Read more…

Share this security consulting article:

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPSmartphone Forensics: Part 7 Network Security

The first posting in this series provided an introduction to smartphone forensics. Parts two, three, four and five covered forensics in iPhones, BlackBerrys, Motorola smartphones, and iPods, respectively. So far we’ve gone over how to use forensics procedures to capture data from each type of cell phone as well as some of the challenges involved, but we haven’t really gone farther in the forensics process. This sixth posting in this series covers some of the other extremely important procedural considerations, These include how to gain access to data on smartphones, ensuring that all relevant data are captured, protecting the integrity of data, dealing with differences in operating systems and file systems, and being careful to avoid errors that can easily invalidate a forensics investigation. Read more…

Share this security consulting article:

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPSmartphone Forensics: Part 6 Network Security

So far this series has covered forensics for the iPhone, Blackberry, and Motorola smartphones. I was just about ready to wrap-up this series when I suddenly realized that iPods and similar devices are now also increasingly the focus of forensics investigations. Accordingly, this posting covers forensics for iPods.

One of the most important initial considerations regarding forensics investigations with iPods is that these devices are often physically connected to computers. Whenever so, the iPod becomes a mounted device on the computer. You can determine whether or not an iPod is mounted on another computer by looking at the iPod’s screen. If “Do Not Disconnect” is displayed, the iPod is mounted, and it thus has to be unmounted before it is physically disconnected from the computer. To do this on Macintosh computers, drag the iPod icon to the trash bin on the Mac desktop. To do this on Windows computers, click the “Unplug or eject hardware” icon that is displayed in the task bar in the lower right hand part of the display. If the iPod is not unmounted before being physically disconnected from a computer, the iPod’s hard drive can be damaged. Read more…

Share this security consulting article:

Emagined Security Consultant: Dr. Eugene Schultz, PhD, CISM, CISSPSmartphone Forensics: Part 5 Network Security